Open RobMahn opened 1 year ago
Hi,
The test for strict-transport-security are done by your Browser. A good way to debug those requests is your browsers network inspector.
Starting point: Is the request done to the right path? If nextcloud is installed at domain.com/cloud but the request for the strict-transport-security goes to domain.com nextcloud is not configured properly.
Hi :) I have a similar issue. When loading the overview the first time, all checks passed. When I reload I'm getting the same error. When I reload by "Shift+F5" all checks pass again. I don't know wich version causes this problem, but it occures at least a longer time. My setup: apache2 + PHP8.1
This is correct behavior for NGINX inheritance since add_header
lines are not inherited (integrated) at a lower level if there are add_header
lines at that lower level. See:
Perhaps it could be better documented in the example configuration that enabling add_header
lines at different levels means considering the implications on one's add_header
lines elsewhere, but that's more a general NGINX configuration matter than NC specific (and NGINX isn't officially supported).
As an additional bit of sanity checking, you can verify the configured headers are being sent with this command (if you don't feel like digging around in your browser console):
curl --head http[s]://nc-test.mydomain.com
This would be a good situation to post about over at the Nextcloud community forums (https://help.nextcloud.com/). I suspect others have - or will - encounter it.
⚠️ This issue respects the following points: ⚠️
Bug description
The 'Security & setup warning' 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds' is displayed when configured as documented for "Nextcloud in a subdir of the NGINX Webroot".
I have found that if I move the other "HTTP response headers borrowed from Nextcloud
.htaccess
" from the location specific section to the global section immediately following the Strict-Transport-Security line, the error will go away.I assume that the test is incorrect, rather than the documentation, as it seems the global setting should work with the other settings being location specific.
Steps to reproduce
Expected behavior
The configuration warning does not display when configured as documented.
Installation method
None
Nextcloud Server version
26
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
No response
List of activated Apps
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response